Skip to content
OPERATIONS · TRUST CENTER

Trust,by construction.

One page for your security team — isolation enforced where the data lives, an audit trail you can't bypass, and an AI that proposes but never decides.

TRUST AT A GLANCE
Where your data lives, who can touch it.
5 layersIsolation defence in depth
119 tablesDatabase-enforced isolation
ca-central-1Canada · single region
AES-256Encrypted at rest
Every changeLogged with the change
PITR 7dRecovery point ≤ 1 minute
01AI GOVERNANCE

AI proposes. Humans decide.

The first AI-native procurement question is whether the AI can alter your safety records. It cannot — not on its own, and not through the API.

Every AI write waits for a person

When the AI wants to change a record, it stops and shows a one-click approval card. Nothing is written until someone accepts it — the AI cannot act on its own.

Unsure or off-catalogue output is held back

A low-confidence suggestion, or one that falls outside your taxonomy, is queued for a human to review. It is never silently written into a safety record.

Accept / change / reject is recorded

What the AI proposed, and what the person did with it, is written to a decision ledger the database itself constrains — a defensible trail of human oversight, not a black box.

The AI cannot move the workflow or sign anything off

Workflow stage and governance state — closures, approvals, sign-offs — are reserved for people. No AI, and no API call, can set them. Only a human can.

Confidential reports stay invisible to the AI for analysts who lack clearance — just-culture protection holds straight through the copilot.
02JUST CULTURE

Reporters stay protected.

ICAO Annex 19 protection is built into the platform — held through the queue, notifications, partner sharing and the AI.

Anonymous and confidential intake

A reporter can file anonymously or in confidence. In those modes the identity is dropped at write time — not encrypted and held, but unrecoverable by design.

Three protection tiers, with named clearance

Reports carry a protected, restricted or confidential tier. Who can open each tier is a role allowlist plus explicit, granted clearance — not an honour system.

Protection holds everywhere — including through the AI

The same clearance gates the personal queue, notifications, partner sharing and the AI copilot. A report you are not cleared for simply is not there, even if you ask the AI.

Learning leaves without exposing the reporter

A closed occurrence can become a de-identified safety bulletin — names, tail numbers and dates scrubbed, a person approves it — so the lesson travels and the reporter does not.

03TENANT ISOLATION

Five layers. The database has the last word.

One database, every operator separated — if any one layer fails, the next still holds. The deepest layer is the database itself.

L1
Every endpoint checks who is asking

Each server-side request is filtered to the calling operator's organisation. Middleware runs on every request — no endpoint touches data without an organisation in context.

L2
Every query carries your organisation

Each query against shared data includes the operator's organisation as part of the condition. A continuous integration gate blocks any new endpoint that lacks the filter.

L3
Background work stays in one organisation

Scheduled and background jobs wrap every operation in a single-organisation context that resets between operators — even cross-operator reporting cannot read across the line.

L4
The public data path is closed by default

The database roles that face the outside world can read no operator data at all. Even a leaked public client key reads nothing across operators — the path is shut at the database, not just the app.

L5
The database refuses to cross the line

Database-enforced isolation is live in production across 119 organisation-scoped tables, against an application role that has no power to bypass it. A query missing your organisation returns zero rows at the database edge — so a single app bug cannot expose another operator's data.

A continuous integration gate blocks any new endpoint or table that lacks the organisation filter or its database-isolation policy — the rule can't be forgotten.
04AUDIT POSTURE

A trail you can't bypass.

Coverage

Every server-side change writes an audit entry in the same database transaction as the change itself — so the record and its log commit together, or not at all. The trail is tamper-evident, and there is no path that skips it.

Surface

A self-serve viewer inside your tenant lets you filter by who, what, which record and when, and export to JSON or CSV for your auditor.

Retention

365 days by default, with per-tenant controls — within the regulatory minimums set by your civil aviation authority.

05AUTHENTICATION

Enterprise identity, end to end.

Sign in the way your identity provider works, and govern every session.

IconMETHODWHEN USEDNOTES
Email + password
Default for individual users
Hashed at rest · checked against known-breached passwords on every set
Magic-link email
Passwordless — less to phish
Single-use token, 60-minute expiry
Single sign-on (Google / Microsoft / Okta)
Sign in with your existing identity provider
Email domain pinned to your organisation on first link
SAML 2.0
Enterprise identity provider
Per-organisation · users provisioned on first sign-in · SSO can be required
SCIM 2.0 provisioning
Identity-provider-driven user lifecycle
Joiners and leavers created and removed automatically
Passkeys + authenticator codes
Phishing-resistant second factor
Touch ID / Windows Hello / security key · authenticator codes · admin reset
Session control
Two-factor, your way

Passkeys (Touch ID, Windows Hello, a hardware key) or authenticator codes. An admin can reset a locked-out user's second factor.

See and end every session

Each user sees their active sessions and their last sign-ins, and can sign out everywhere in one click. Admins can require single sign-on for the whole organisation.

06MACHINE ACCESS

Automation can't skip sign-off.

The API and AI connectors are open — and run the same checks as the screen, with no shortcut around governance.

One path for people, machines and AI

The REST API, the AI connector and the agent connector all run the exact same checks as the screen: who are you, are you within limits, can you see this organisation's data, are you allowed, and write it to the audit log.

Automation cannot skip sign-off

Workflow and governance state cannot be set through any machine surface. An integration or an AI assistant moves data; only a person closes a record or signs it off.

Connect an AI assistant under one consent

The AI connector uses standard registration with proof-key exchange, single-use codes, short-lived access and rotating refresh. Your team consents once; the link acts as that user, with that user's exact permissions.

Outbound webhooks are signed and can't be tricked

Every webhook is signed so the receiver can verify it really came from us, and every destination is checked against a safe-egress blocklist — loopback, private ranges and cloud-metadata addresses are refused.

Building an integration? /developers has the API, the AI connector and the webhook contract.
07WHERE YOUR DATA LIVES

Canada. Single region.

Primary region
Canada (ca-central-1)All operator records — database + file storage — in one region.
Application compute
Global edgeNo stored data at the edge. Compute is short-lived and holds nothing.
Network edge
Global anycastTLS 1.3 termination + denial-of-service protection at the edge.
Backups
Point-in-time recovery · 7 daysRecovery point ≤ 1 minute. Recovery time ≤ 1 hour.
08ENCRYPTION

At rest + in transit

At rest
  • Database — AES-256 encryption, isolated per operator
  • File storage — AES-256 object encryption
  • Secrets (webhook secrets, API keys) — hashed at rest; shown in full once, at create
In transit
  • TLS 1.3 enforced edge to origin
  • Strict transport security — 1-year max age, all subdomains
  • Outbound webhooks signed so the receiver can verify them
09SUB-PROCESSORS

Who touches your data

The service categories in the processing chain. Vendor names + agreements in Privacy 09 + Terms 09.

CATEGORYREGIONROLE
Database
ca-central-1 (Canada)
Tenant data, audit log, AI execution log. Encrypted at rest, isolated per operator.
Hosting & edge
Application + static assets served from a global edge with automatic SSL.
AI provider
Calibrated AI agents for classification, risk, bowtie and precursor detection.
Background processing
Durable workers for notifications, retention, scheduled reports and webhook delivery.
Email delivery
Transactional email for notifications, magic-links and digests.
Identity & storage
Sessions, file uploads, OAuth, SAML callback for enterprise identity providers.
Security monitoring
Error tracking and observability across the application.
Payments
Subscription billing for paid plans (handled by an external processor — eAviora never stores card data).
DNS & DDoS protection
Authoritative DNS, DDoS mitigation and TLS at the edge.
Full vendor names + data-processing agreements: /privacy 12 · /terms 09.
10COMPLIANCE & DEFENSIBILITY

Where we stand

Aviation safety regulators

Built to support audits by national civil aviation authorities — FAA Part 5 safety management, EASA Part-ORO, Transport Canada CAR 705, ICAO Annex 19. The audit trail, retention controls and reporter-confidentiality model are designed for a regulator showing up with a notebook.

Closure that can't be faked

A degraded barrier requires a linked corrective action; the record can't close until that action passes an effectiveness check; accepting residual risk requires a two-person, co-signed waiver. The discipline a regulator expects is enforced by the system, proven by a 13-of-13 live-cluster scenario suite — not left to good intentions.

SOC 2 Type 2
In preparation

We are running our SOC 2 Type 2 readiness work. We do not claim a certificate we don't hold — the controls above stand on their own, by construction. Procurement teams that need a pre-audit questionnaire response can ask for the control matrix on the walkthrough.

GDPR + UK GDPR

A data-processing agreement is available on request, with standard contractual clauses for cross-border transfers to the sub-processor regions listed above.

11DATA OWNERSHIP

Export everything, any time

Your data is yours. Trigger a full export whenever you want — nothing locks you in.

A full export builds a complete bundle of every record in your tenant — occurrences, hazards, indicators, actions, audits, investigations, documents, training records and the full audit log. It is built in the background and delivered as a 7-day signed download link by email, available as JSON, CSV, Parquet or PDF, and also through the REST API. Re-importable into any other vendor, or kept for your own archives. No support ticket required.

12VULNERABILITY DISCLOSURE

Found something? Tell us.

Email security@eaviora.com with reproduction steps, the affected tenant (your tenant ID is enough), and your preferred disclosure window. We acknowledge within 24 hours, ship a fix or mitigation within 7 days for the most severe issues, and credit you in the advisory unless you ask us not to. We do not litigate good-faith research.

PROCUREMENT

Hand this to your security team.
We'll cover the rest live.

The questionnaire is mostly answered above — isolation, audit, AI governance, confidentiality, identity. Bring the open questions to a 30-minute walkthrough with the founder.